Hello gang,
its been a while but i still have questions.
Now it being the end of the year i have a buch (about 48) new users to put into my system (win2k AD xp clients).
What i want to know is how can i do this automated? Like having an excels or usernames where cetain scripts could run off perhaps?
Thats one issue - but i was wondering now and this is the real pain in thass part of new users.
Is that i have to go into the File server and make a new folder and name it after that user and then give full access to that folder for that user - hence creating a home folder for the user only acdesible by themself and ofcourse IT administration.
Can i do this automated? Im sure big ass companies dont sit there and do this stuf manually.
Cheers fellas
Full Version: Automating new user and other stuff input
Create a share with secure permissions for users to create home folders:
How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003
http://support.microsoft.com/default.aspx?...kb;en-us;274443
Create the target folder in the user's context - you can do this with a logon script e.g:
MD \\SERVER\HOME\%USERNAME%
or via Folder Redirection - redirect My Documents to the target folder: e.g. \\SERVER\HOME\%USERNAME%\My Documents
Then in a logon script map the home drive the location created. This way you don't need to add anything to the user properties.
You can also use the same approach listed in the KB article for secure profile folders as well.
How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003
http://support.microsoft.com/default.aspx?...kb;en-us;274443
Create the target folder in the user's context - you can do this with a logon script e.g:
CODE
MD \\SERVER\HOME\%USERNAME%
or via Folder Redirection - redirect My Documents to the target folder: e.g. \\SERVER\HOME\%USERNAME%\My Documents
Then in a logon script map the home drive the location created. This way you don't need to add anything to the user properties.
You can also use the same approach listed in the KB article for secure profile folders as well.
Here is what we use to add pupils in our school. First is an example of the text file that is read by the batch file. The username, password and description are seperated by comma's but no spaces. The description makes it handy to find them in active directory afterwards when you sort by that column.
pupil.txt
johnsmith,password,year 10
MarkJones,megatron,year 8
JaneRussell,magic,year 9
AddPupils.bat
@echo on
for /f "tokens=1,2,3 delims=," %%1 in (pupils.txt) do (
:: Add user (net user username,password
:: comment is description - scriptpath is the logon
:: script and profile path is the location of their
:: profile. Only username and password are compulsary'
net user "%%1" "%%2" /add /comment:%%3 /scriptpath:pupil.bat /profilepath:\\%computername%\profiles$\pupils
:: Make their home folder
md "d:\users\pupils\%%1"
:: Set permissions on home folder
cacls "d:\users\pupils\%%1" /G "%%1":F /e
cacls "d:\users\pupils\%%1" /G Administrators:F /e
cacls "d:\users\pupils\%%1" /G Managers:F /e
cacls "d:\users\pupils\%%1" /G Staff:F /e
cacls "d:\users\pupils\%%1" /E /R Everyone
cacls "d:\users\pupils\%%1" /E /R Users
:: Add new user to appropriate group
net group Pupils "%%1" /add
:: Share the user's folder and set permissions
net share "%%1$"="d:\users\pupils\%%1" /cache:none /grant:"%%1",full /grant:"staff",full /grant:"managers",full /grant:"administrators",full
)
pupil.txt
CODE
johnsmith,password,year 10
MarkJones,megatron,year 8
JaneRussell,magic,year 9
AddPupils.bat
CODE
@echo on
for /f "tokens=1,2,3 delims=," %%1 in (pupils.txt) do (
:: Add user (net user username,password
:: comment is description - scriptpath is the logon
:: script and profile path is the location of their
:: profile. Only username and password are compulsary'
net user "%%1" "%%2" /add /comment:%%3 /scriptpath:pupil.bat /profilepath:\\%computername%\profiles$\pupils
:: Make their home folder
md "d:\users\pupils\%%1"
:: Set permissions on home folder
cacls "d:\users\pupils\%%1" /G "%%1":F /e
cacls "d:\users\pupils\%%1" /G Administrators:F /e
cacls "d:\users\pupils\%%1" /G Managers:F /e
cacls "d:\users\pupils\%%1" /G Staff:F /e
cacls "d:\users\pupils\%%1" /E /R Everyone
cacls "d:\users\pupils\%%1" /E /R Users
:: Add new user to appropriate group
net group Pupils "%%1" /add
:: Share the user's folder and set permissions
net share "%%1$"="d:\users\pupils\%%1" /cache:none /grant:"%%1",full /grant:"staff",full /grant:"managers",full /grant:"administrators",full
)
wow thats a nice script that would really speed things up
I've just noticed that I should have put quotes around the comment part. Without the quotes it will fail if you have a space in there - which I did in my example 
So that line should be:
net user "%%1" "%%2" /add /comment:"%%3" /scriptpath:pupil.bat /profilepath:\\%computername%\profiles$\pupils
One other thing might be worth considering. You will see that we've given the user full control to his own folder, which you might think makes sense. Unfortunately, that means they can take ownership of files and folders in there, so sometimes either deliberately or by accident they will make themselves the owner and remove the rights of the administrator etc. That is very easy to get back, of course, but it can mean that *some* types of backup will then skip the guy's files because it doesn't have access to the folder.
To solve this, we now only give the user read,write,change access to his folder so he now doesn't have the ability to take ownership OR remove other people's rights. Change the first 'cacls' line in batch file as follows if you want to make this happen
cacls "d:\users\pupils\%%1" /G "%%1":R /e
cacls "d:\users\pupils\%%1" /G "%%1":W /e
cacls "d:\users\pupils\%%1" /G "%%1":C /e
So that line should be:
CODE
net user "%%1" "%%2" /add /comment:"%%3" /scriptpath:pupil.bat /profilepath:\\%computername%\profiles$\pupils
One other thing might be worth considering. You will see that we've given the user full control to his own folder, which you might think makes sense. Unfortunately, that means they can take ownership of files and folders in there, so sometimes either deliberately or by accident they will make themselves the owner and remove the rights of the administrator etc. That is very easy to get back, of course, but it can mean that *some* types of backup will then skip the guy's files because it doesn't have access to the folder.
To solve this, we now only give the user read,write,change access to his folder so he now doesn't have the ability to take ownership OR remove other people's rights. Change the first 'cacls' line in batch file as follows if you want to make this happen
CODE
cacls "d:\users\pupils\%%1" /G "%%1":R /e
cacls "d:\users\pupils\%%1" /G "%%1":W /e
cacls "d:\users\pupils\%%1" /G "%%1":C /e
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.